In today’s digital landscape, establishing a robust Software Asset Governance framework is crucial for organizations aiming to bolster their cybersecurity posture. This discipline encompasses various facets of Software Asset Management, as referenced in leading security standards such as the SANS CIS Critical Security Controls, NIST Special Publication 800-53, and the Cloud Security Alliance’s Cloud Control Matrix. Beyond cybersecurity, it addresses license compliance and optimizes IT cost management. An effective Software Asset Governance program initiates with a comprehensive inventory of both authorized and unauthorized software.
In this article, we guide you through leveraging AWS services to build an inventory of software deployed across AWS EC2 instances. Once the inventory is aggregated into a unified repository, we create dashboards that enable organizations to visualize security and compliance challenges that typically emerge in operational scenarios. For additional insights, you may also want to check out this related blog post here.
Solution Overview
The Software Asset Governance solution outlined here utilizes a combination of AWS services to pinpoint security and compliance issues associated with enterprise server deployments. The design is straightforward, featuring an account structure where AWS Systems Manager is set up in each child account, relaying inventory data to a master account, as illustrated below.
For this demonstration, we utilize four accounts, although the framework is adaptable for larger environments.
The solution addresses several common use cases, including:
- The count of instances running outdated versions of the SSM Agent, organized by account.
- The number of instances lacking essential applications, categorized by account.
- Instances with required applications installed but not in an active state, by account.
- Instances featuring blacklisted applications (e.g., Nmap), segmented by account.
- The total count of application instances, per account.
- Identification of the top three accounts with the most frequent occurrences of the above issues.
Prerequisites and Assumptions
This article presumes familiarity with the following AWS services integral to the solution:
- AWS Systems Manager: For gathering details on software installations across Amazon EC2 instances.
- AWS S3: To centrally store the gathered inventory data.
- AWS Glue: For discovering inventory data and maintaining associated metadata (like table definitions and schemas) in the AWS Glue Data Catalog.
- Amazon Athena: For querying inventory data in Amazon S3 using standard SQL.
- Amazon QuickSight: To develop dashboards and visualize the mentioned use cases.
In our demonstration, we utilize a Central Operations account alongside three resource accounts. However, the concept can be adapted for numerous resource accounts as well. The Central Operations account hosts an Amazon S3 bucket for storing and analyzing inventory using services like AWS Glue, Amazon Athena, and Amazon QuickSight. The Resource accounts house the Amazon EC2 instances from which software inventory governance is required.
You can also conduct a proof-of-concept within a single account while following the same steps, as described in the comprehensive guide available here, where they are recognized as an authority on this topic.
The setup requires Amazon EC2 instances to collect and analyze inventory data, IAM access to create or modify AWS resources, and ensures that AWS Systems Manager Inventory collection is compatible with instances designated as managed. For effective operation, managed instances need connectivity to both AWS Systems Manager and Amazon S3 APIs, which can be facilitated through an internet gateway or a VPC endpoint.
Walkthrough
Step 1
Create an Amazon S3 bucket in the ‘Central Operations’ account. This bucket will serve as the repository for software inventory data collected by AWS Systems Manager. For best practices regarding security, refer to the guidelines on securing Amazon S3.
Step 2
Configure a bucket policy on the Amazon S3 bucket established in Step 1. This policy will enable cross-account storage and analysis of software inventory data.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::"
},
{
"Sid": "quicksight",
"Effect": "Allow",
"Principal": {
"Service": [
"glue.amazonaws.com",
"quicksight.amazonaws.com",
"athena.amazonaws.com"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::/*",
"arn:aws:s3:::"
]
},
{
"Sid": "SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3::://*/accountid=/*",
"arn:aws:s3::://*/accountid=/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
This policy allows the necessary AWS services to access and manage the software inventory data securely.
By following these guidelines, organizations can establish a comprehensive Software Asset Governance framework on AWS that enhances their cybersecurity efforts and ensures compliance across their software landscape.
Leave a Reply